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1  Introduction 


Over  the  past  thirteen  years  there  has  been  considerable  research  on  efficient  model  checking 
algorithms  for  brajiching-time  temporal  logics  like  CTL  (See  [5]  for  a  survey).  Verification 
tools  based  on  these  algorithms  have  discovered  non-trivial  design  errors  in  sequential  circuits 
and  protocols  [10]  and  are  now  beginning  to  be  used  in  industry.  There  has  been  relatively 
little  research,  however,  on  efficient  model  checking  algorithms  for  linear-temp>oral  logic 
(LTL),  and  practical  verification  tools  are  virtually  non-existant.  In  fact,  the  question  of 
whether  it  is  possible  to  develop  such  tools  has  been  argued  for  many  years.  Sistla  and  Clarke 
[17]  showed  in  1982  that  the  model  checking  problem  for  LTL  was,  in  general,  PSPACE 
complete.  Later,  Pnueli  and  Lichtenstein  [14]  gave  an  LTL  model  checking  algorithm  that 
was  exponential  in  the  size  of  the  formula,  but  linear  in  the  size  of  the  model.  Based 
on  this  result,  they  argued  that  the  high  complexity  of  LTL  model  checking  might  still  be 
acceptable  for  short  formulas.  Vardi  and  Wolper  [18]  obtained  a  different  algorithm  based  on 
w-automata  with  roughly  the  same  complexity.  Unfortunately,  the  LTL  algorithms  appeared 
significantly  more  difficult  to  implement.  Because  of  this,  very  few  LTL  model  checkers  were 
actually  constructed.  To  the  best  of  our  knowledge,  no  experiments  were  made  to  determine 
how  the  CTL  and  LTL  model  checking  algorithms  actually  compared  in  practice. 

In  this  paper  we  show  how  LTL  model  checking  can  be  red'  ;ed  to  CTL  model  checking 
with  f9,irness  constraints.  We  also  describe  how  to  construct  a  symbolic  LTL  model  checker 
that  appears  to  be  quite  efficient  in  practice.  In  particular,  we  show  how  the  SMV  model 
checking  system  developed  by  McMillan  as  part  of  his  Ph.D.  thesis  [16]  can  be  extended  to 
permit  LTL  specifications.  We  have  developed  a  translator  T  that  takes  an  LTL  formula  / 
and  constructs  an  SMV  program  T{f)  to  build  the  tableau  for  /.  The  tableau  construction 
that  we  use  is  similar  to  the  one  described  in  [4].  To  check  that  /  holds  for  some  SMV 
program  M,  we  combine  the  text  of  T  =  T{->f)  with  the  text  of  M  to  obtain  a  new  SMV 
program  P  =  V{T,M).  We  add  CTL  fairness  constraints  to  P  in  order  to  make  sure  that 
eventualities  of  the  form  aU b  are  actually  fulfilled  (i.e.  to  eliminate  those  paths  along  which 
a  U  6  and  a  hold  continuously,  but  b  never  holds).  By  checking  an  appropriate  CTL  formula 
on  P  we  can  find  the  set  Vj  of  all  of  those  states  s  such  that  /  holds  along  every  path  that 
begins  at  s.  The  projection  of  Vj  to  the  state  variables  of  M  gives  the  set  of  states  where 
the  formula  f  holds. 

Note  that  our  approach  makes  it  unnecessary  to  modify  SMV  (or  even  understand  how 
SMV  is  actually  implemented).  We  have  evaluated  the  approach  on  several  standard  SMV 
programs  (including  Martin’s  distributed  mutual  exclusion  circuit  [15]  and  the  synchronous 
arbiter  described  in  McMillan’s  thesis  [16]).  In  order  to  make  sure  that  the  experiments  were 
unbiased,  we  deliberately  chose  specifications  which  could  be  expressed  in  both  CTL  and 
LTL.  The  results  that  we  obtained  were  quite  surprising.  For  the  examples  we  considered, 
the  LTL  model  checker  required  at  most  twice  as  much  time  and  space  as  the  CTL  model 
checker.  Although  additional  examples  still  need  to  be  tried,  it  appears  that  efficient  LTL 
model  checking  is  possible  when  the  specifications  are  not  excessively  complicated.  In  the 
full  paper  we  will  describe  how  the  same  basic  approach  can  be  used  to  extend  SMV  for 
testing  inclusion  between  various  types  of  u;-automata. 
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2  Bineury  Decision  Diagrams 

Ordered  binary  decision  diagrams  (OBDDs)  axe  a  canonical  form  representation  for  booleaji 
formulas  [3].  They  are  often  substantially  more  compact  than  traditional  normal  forms  such 
as  conjunctive  normal  form  or  disjunctive  normal  form,  and  they  can  be  manipulated  very 
efficiently.  An  OBDD  is  similar  to  a  binary  decision  tree,  but  has  the  following  properties. 

•  Its  structure  is  a  directed  acyclic  graph  rather  than  a  tree. 

•  A  total  order  is  placed  on  the  occurrence  of  variables  as  the  graph  is  traversed  from 
root  to  leaf. 

•  No  two  subgraphs  in  the  graph  represents  the  same  function. 

Bryant  showed  that  given  a  variable  ordering,  the  OBDD  representation  for  a  boolean  for¬ 
mula  is  unique. 

We  can  implement  various  important  logical  operations  using  OBDDs.  The  function 
that  restricts  some  argument  x,  of  the  boolean  function  /  to  a  constant  value  6,  denoted  by 
/  |xi_6,  can  be  performed  in  time  which  is  linear  in  the  size  of  the  original  binary  decision 
diagram  [3].  The  restriction  algorithm  allows  us  to  compute  the  OBDD  for  the  formula 
3xf  as  /  |x*-o  +/  All  16  two-argument  logical  operations  can  also  be  implemented 
efficiently  on  boolean  functions  that  are  represented  as  OBDDs.  The  complexity  of  these 
operations  is  linear  in  the  size  of  the  argument  OBDDs  [3].  Furthermore  equivalence  checking 
of  two  boolean  functions  can  be  done  in  constant  time,  by  using  a  hash  table  properly [2]. 

OBDDs  are  extremely  useful  for  obtaining  concise  representations  of  relations  over  finite 
domains  [4,  16].  If  R  is  n-ary  relation  over  {0,1}  then  R  can  be  represented  by  the  OBDD 
for  its  characteristic  function 

.. .  ,x„)  =  1  iff  i?(xi,. . .  ,x„). 

Otherwise,  let  R  be  an  n-ary  relation  over  the  finite  domain  D.  Using  an  appropriate  binary 
encoding  of  £>,  we  can  represent  R  by  an  OBDD. 

3  Computation  Tree  Logics 

We  begin  by  describing  the  temporal  logic  CTL*  [8,  9,  12],  which  can  express  both  linear¬ 
time  and  branching-time  properties.  In  this  logic,  a  path  quantifier,  either  A  (“for  all 
computation  paths”)  or  E  (“for  some  computation  paths”)  can  prefix  an  assertion  composed 
of  arbitrary  combinations  of  the  usual  linear-time  operators  G  (“aiways”),  F  (“sometimes”), 
X  (“nexttime”),  and  U  (“until”).  Both  Linear  Temporal  Logic  (LTL)  and  Computation  Tree 
Logic  (CTL)  are  included  in  CTL*  . 

There  are  two  types  of  formulas  in  CTL*  :  state  formulas  (which  are  true  in  a  specific 
state)  and  path  formulas  (which  are  true  along  a  specific  path).  Let  AP  be  the  set  of  atomic 
proposition  names.  The  syntax  of  state  formulas  is  given  by  the  following  rules: 

•  If  p  €  AP,  then  p  is  a  state  formula. 
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•  If  /  and  g  are  state  formulas,  then  ->/  and  /  V  y  are  stace  formulas. 

•  If  /  is  a  path  formula,  then  E(/)  is  a  state  formula. 

Two  additional  rules  are  needed  to  specify  the  syntax  of  path  formulas: 

•  If  /  is  a  state  formula,  then  /  is  also  a  path  formula. 

•  If  /  and  g  are  path  formulas,  then  ->/,  /  V  ^r,  X  /,  and  /  U  ^  are  path  formulas. 

CTL*  is  the  set  of  state  formulas  generated  by  the  above  rules. 

We  define  the  semantics  of  CTL*  with  respect  to  a  Kripke  structure  M  =  {S,R,L), 
where  S  is  the  set  of  states;  R  C  S  x  S  is  the  transition  relation,  which  must  be  total  (i.e.. 
for  ail  states  s  G  5  there  exists  a  state  s'  €  5  such  that  (s,s')  €  R);  and  L  :  S  V{AP)  is 
a  function  that  labels  each  state  with  a  set  of  atomic  propositions  true  in  that  state.  In  this 
paper,  we  assume  that  all  Kripke  structures  are  finite. 

.4  path  in  M  is  an  infinite  sequence  of  states,  tt  =  so,si,. . .  such  that  for  every  i  >  0, 
(s,,  Si+i)  G  R.  We  use  ir‘  to  denote  the  suffix  of  tt  starting  at  s,.  If  /  is  a  state  formula, 
the  notation  M,  -s  ^  /  means  that  /  holds  at  state  s  in  the  Kripke  structure  M.  Similarly, 
if  /  is  a  path  formula,  M,ir  \=  f  means  that  /  holds  along  path  tt  in  Kripke  structure  M. 
When  the  Kripke  structure  M  is  clear  from  context,  we  will  usually  omit  it.  The  relation  |= 
is  defined  inductively  as  follows  (assuming  that  fi  and  /j  are  state  formulas  and  gi  and  g^ 
are  path  formulas): 


1-  ^  h  P  ^  p  €  Lis). 

2.  s\=  -'fi  <=>  s  ^  fi. 

3.  s  \=  fiW  f2  <<=►  s  (=  /i  or  s  f=  /2. 

4.  s  (=  E(pi)  ^  there  exists  a  path  tt  starting  with  s  such  that  tt  |=  pi. 

5.  TT  ^  /i  <=>  s  is  the  first  state  of  tt  and  s  \=  fi. 

6-  TT  )=  --pi  TT^  gi. 

T.  TT  1=  Pi  V  5r2  <=>  tt  1=  Pi  or  TT  ^  P2- 

8.  TT  f=  Xpi  <=>  7r‘  (=  Pi. 

9.  T  )=  Pi  U  p2  ^  there  exists  a  A:  >  0  such  that  ^  P2  and  for  all 

0  <  j  <  k,  \=  pi. 

The  following  abbreviations  are  used  in  writing  CTL*  formulas: 

•  /  Ap  =  -'(-i/V  -ip)  •  F  /  =  true  U  / 

•  A(/)  =  -E(^/)  .G/  =  ^F^/ 


CTL  [1,  8]  is  a  restricted  subset  of  CTL*  that  permits  only  branching-time  operators — 
each  of  the  iiaear-time  operators  G,  F,  X,  and  U  must  be  immediately  preceded  by  a  path 
quantifier.  More  precisely,  CTL  is  the  subset  of  CTL*  that  is  obtained  if  the  following  two 
rules  are  used  to  specify  the  syntax  of  path  formulas. 


•  If  /  and  p  are  state  formulcis,  then  X  /  and  /Up  are  path  formulas. 


•  If  /  is  a  path  formula,  then  so  is  -■  /. 
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Linear  temporal  logic  (LTL),  on  the  other  hand,  will  consist  of  formulas  that  have  the 
form  A  /  where  /  is  a  path  formula  in  which  the  only  state  subformulas  permitted  are  atomic 
propositions.  More  precisely,  a  path  formula  is  either: 

•  an  atomic  proposition  p  €  AP. 

•  If  /  and  g  are  path  formulas,  then  f  y  g,  \  f,  and  /  U  are  path  formulas. 

There  are  eight  basic  CTL  operators:  AX,  EX,  AG,  EG,  AF,  EF,  AU  and  EU.  Each 
of  the  eight  operators  can  be  expressed  in  terms  of  three  operators  EX,  EG,  and  EU. 


4  CTL  Model  Checking 

CTL  Model  checking  is  the  problem  of  finding  the  set  of  states  in  a  state  transition  graph 
where  a  given  CTL  formula  is  true.  One  approach  for  solving  this  problem  is  a  symbolic 
model  checking  using  an  OBDD  to  represent  the  transition  relation  of  the  graph.  Assume 
that  the  transition  relation  is  given  as  a  boolean  formula  R(  v,v')  in  terms  of  current  state 
variables  v  =  (ui,...,Un)  and  next  state  variables  v'  =  (vj, . . . ,  The  algorithm  takes 
a  CTL  formula  /,  and  the  OBDD  that  represents  R{v,v').  For  each  subformula  g,  the 
algorithm  computes  the  states  that  satisfy  5  in  a  bottom-up  manner.  This  step  is  performed 
by  OBDD  operations.  The  algorithm  returns  an  OBDD  that  represents  exactly  those  states 
of  the  system  that  satisfy  the  formula  /. 

Fairness  constraints  were  introduced  for  checking  the  correctness  of  CTL  formulas  along 
fair  computation  paths.  A  fairness  constraint  can  be  an  arbitrary  set  of  states,  usually 
described  by  a  formula  of  the  logic.  A  path  is  said  to  be  fair  with  respect  to  a  set  of  fairness 
constraints  if  each  constraint  holds  infinitely  often  along  the  path.  The  path  quantifiers 
in  CTL  formulas  are  then  restricted  to  fair  paths.  The  CTL  model  checking  under  given 
fairness  constraints  can  also  be  performed  using  OBDD  operations.  As  will  be  shown  in  the 
next  section,  LTL  model  checking  can  be  reduced  to  CTL  model  checking  under  fairness 
constraints. 


5  LTL  Model  Checking 

In  this  section  we  consider  the  model  checking  problem  for  linear  temporal  logic.  Let  A  / 
be  a  linear  temporal  logic  formula.  Thus,  /  is  a  restricted  path  formula  in  which  the  only 
state  subformulas  are  atomic  propositions.  We  wish  to  determine  all  of  those  states  s  G  5 
such  th;>t  iVf,  5  \=  A  f.  By  definition  M,s  (=  A  /  iff  s  ^  E  -I /.  Consequently,  it  is 
sufficient  to  be  able  to  check  the  truth  of  formulas  of  the  form  E  /  where  /  is  a  restricted 
path  formula.  If  the  Kripke  structure  is  represented  explicitly  as  a  state  transition  graph, 
this  problem  is  known  to  be  PSPACE-complete  [17]  in  general. 

Lichtenstein  and  Pnueli  [14]  developed  an  algorithm  for  the  problem  that  was  linear  in  the 
size  of  the  model  M  and  exponential  in  the  length  of  the  formula  /.  Although  their  algorithm 
was  linear  in  the  size  of  the  model,  it  was  still  impractical  for  large  examples  because  of  the 
state  explosion  problem.  As  in  the  case  of  CTL  model  checking,  representing  the  transition 
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relation  as  an  OBDD  enables  the  procedure  to  be  applied  to  much  larger  examples.  The 
exponential  complexity  of  their  algorithm  in  terms  of  formula  length  is  caused  by  a  tableau 
construction  which  may  require  exponential  space  in  the  size  of  the  formula. 

Burch  et.  al  developed  a  model  checking  algorithm  for  constructing  the  tableau  implicitly 
[4].  The  implicit  tableau  construction  leads  to  an  additional  reduction  in  space  and  time. 
We  begin  with  an  informal  description  of  the  model  checking  algorithm.  Given  a  formula 
E/  and  a  Kripke  structure  M,  we  construct  a  special  Kripke  structure  T  called  the  tableau 
for  the  path  formula  /.  This  structure  includes  every  path  that  satisfies  /.  By  composing  T 
with  M,  we  find  the  set  of  paths  that  appear  in  both  T  and  M.  A  state  in  M  will  satisfy  E  / 
if  and  only  if  it  is  the  start  of  a  path  in  the  composition  that  satisfies  /.  The  CTL  model 
checking  procedure  described  in  Section  4  is  used  to  find  these  states. 

We  now  describe  the  construction  of  the  tableau  T  in  detail.  Let  APf  be  the  set  of  atomic 
propositions  in  /.  The  tableau  associated  with  /  is  a  structure  T  =  (St,  Rt,  Lt)  with  APj 
as  its  set  of  atomic  propositions.  Each  state  in  the  tableau  is  a  set  of  elementary  formulas 
obtained  from  /.  The  set  of  elementary  subformulas  of  /  is  denoted  by  e/(/)  and  is  defined 
recursively  as  follows: 

•  el(p)  =  {p}  if  p  €  AP. 

•  e/(^p)  =  el{g). 

•  el{g  V  /i)  =  el{g)  U  el{h). 

•  e/(Xp)  =  {Xp}Ue/(p). 

•  elig  Uh)  =  {X{g  U  h)}  U  el{g)  U  il{h). 

Thus,  the  set  of  states  Sj  of  the  tableau  is  V(el{f)).  The  labeling  function  Lt  is  defined  so 
that  each  state  is  labeled  by  the  set  of  atomic  propositions  contained  in  the  state. 

In  order  to  construct  the  transition  relation  Rt,  we  need  an  additional  function  sat  that 
associates  with  each  subformula  p  of  /  a  set  of  states  in  St-  Intuitively,  sat(g)  will  be  the 
set  of  states  that  satisfy  g. 

•  sat(g)  =  {(7  \  g  ^  cr}  where  g  €  e/(/). 

•  sating)  =  {cr  I  cr  ^  sat{g)}. 

•  sat(g  V  /i)  =  sat(g)  U  sat{h). 

•  sat{g  U  h)  =  sat{h)  U  (sat(g)  (1  sat(X{g  U  h)))- 

We  want  the  transition  relation  to  have  the  property  that  each  elementary  formula  in 
a  state  is  true  in  that  state.  Clearly,  if  Xg  is  in  some  state  <t,  then  all  the  successors  of  cr 
should  satisfy  g.  Furthermore,  since  we  are  dealing  with  LTL  formulas,  if  Xg  is  not  in  cr. 
then  cr  should  satisfy  -'Xg.  Hence,  no  successor  of  cr  should  satisfy  g.  The  obvious  definition 
for  Rt  is 

RT(cT,'r')  =  f\  (T  ^  sat{X g)  ^  a' ^  sat{g) . 

'X-g^elUf 
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Figure  1:  Tableau  for  a  U  6 


Figure  1  gives  the  tableau  for  the  formula  g  =  aV  b.  To  reduce  the  number  of  edges,  we 
connect  two  states  <r  and  a'  with  a  bidirectional  arrow  if  there  is  an  edge  from  a  to  a'  and 
also  from  o’  to  a.  Each  subset  of  el{g)  is  a  state  of  T.  $at{^g)  =  {1,2, 3, 5}  since  each 
of  these  states  contains  the  formula  Xg.  sat{g)  =  {1,2, 3, 4, 6}  since  each  of  these  states 
either  contains  b  or  contains  a  and  Xg.  There  is  a  transition  from  each  state  in  sat{Xg)  to 
each  state  in  sat{g)  and  from  each  state  in  the  complement  of  sat(Xg)  to  each  state  in  the 
complement  of  sat{g). 

Unfortunately,  the  definition  of  Rj  does  not  guarantee  that  eventuality  properties  are 
fulfilled.  We  can  see  this  behavior  in  Figure  1.  Although  state  3  belongs  to  sat(g),  the  path 
that  loops  forever  in  state  3  does  not  satisfy  the  formula  g  since  b  never  holds  on  that  path. 
Consequently,  an  additional  condition  is  necessary  in  order  to  identify  those  paths  along 
which  /  holds.  A  path  tt  that  starts  from  a  state  cr  €  sat{f)  will  satisfy  /  if  and  only  if 

•  For  every  subformula  g  IJ  h  of  f  and  for  every  state  cr  on  tt,  if  cr  £  sat{g  U  h)  then 
either  cr  €  sat{h)  or  there  is  a  later  state  r  on  tt  such  that  r  G  sat{h). 

In  order  to  state  the  key  property  of  the  tableau  construction,  we  must  introduce  some 
new  notation.  Let  tt  =  sq, 5i,...  be  a  path  in  a  Kripke  structure  M,  then  label{Tc)  = 

L(so),L(si), _  Let  /  =  lo,li,...  be  a  sequence  of  subsets  of  some  set  S  and  let  E'  C  E. 

The  restriction  of  /  to  S',  denoted  by  /  [s',  is  the  sequence  /{,, /j,. . .  where  /'  =  /,  ft  E'  for 
every  i  >  0.  The;  following  theorem  makes  precise  the  intuitive  claim  that  T  includes  every 
path  which  satisfies  /. 

Theorem  1  Let  T  be  the  tableau  for  the  path  formula  f.  Then,  for  every  Kripke  structure 
M  and  every  path  v'  of  M,  if  M,  tt'  [=  /  then  there  is  a  path  ic  in  T  that  starts  in  a  state  in 
sat{f),  such  that  label{ir')  \APf  =  label{irf 

We  prove  this  theorem  in  the 'Appendix. 


Figure  2;  Kripke  Structure  M 


Next,  we  want  to  compute  the  product  P  =  {S,R,L)  of  the  tableau  T  =  (Sj.  Rt,  Lt) 
and  the  Kripke  structure  M  =  {Sm,  Rm,Lm). 

•  S  =  1  cr  €  €  Sm  and  H  APj  =  Lt{(t)}. 

•  /?((o-,cr'),(r,r'))  iff  Rt{(T,t)  and  RM{cr\T'). 

•  L{{cr,a'))  =  Lt{(t). 

P  contains  exactly  the  sequences  tt"  for  which  there  are  paths  tt  in  T  and  x'  in  M  such  that 
label(Tr")  =  label{Tr)  =  label(ir')  \APf  We  extend  the  function  sat  to  be  defined  over  the  set 
of  states  of  the  product  P  by  (a,  <t')  €  sat{g)  if  and  only  if  cr  6  sat{g). 

We  next  apply  CTL  model  checking  and  find  the  set  of  all  states  V  in  P,  V  C  sat{f). 
that  satisfy  EG  true  with  the  fairness  constraints 

{sat{-'{g  V  h)y  h)  \  gV  h  occurs  in  /}.  ( 1 ) 

Each  of  the  states  in  V  is  in  sat(f).  Moreover,  it  is  the  start  of  an  infinite  path  that  satisfies 
all  of  the  fairness  constraints.  These  paths  have  the  property  that  no  subformula  g  U  h 
holds  almost  always  on  the  path  while  h  remains  false.  The  correctness  of  our  construction 
is  summarized  by  the  following  theorem. 

Theorem  2  M,  cr'  E/  if  and  only  if  there  is  a  state  a  in  T  such  that  (cr,  or')  E  sat(f)  and 
P,  (cr,  cr')  [=  EG  True  under  fairness  constraints  {sat{-‘(g  U  h)y  h)  \  gU  h  occurs  in  /}. 

The  proof  of  this  theorem  is  also  given  in  the  Appendix. 

To  illustrate  this  construction,  we  check  the  formula  g  =  alJ b  on  the  Kripke  structure  M 
in  Figure  2.  The  tableau  T  for  this  formula  is  given  in  Figure  1.  If  we  compute  the  product  P 
as  described  above,  we  obtain  the  Kripke  structure  shown  in  Figure  3.  We  use  the  CTL  model 
checking  algorithm  to  find  the  set  V  of  states  in  sat{g)  that  satisfy  the  formula  EG  true 
with  the  fairness  constraint  sat{-'{a  U  6)  V  b).  It  is  easy  to  see  that  the  fairness  constraint 
corresponds  to  the  following  set  of  states  {(2, 4'),  (5, 3'),  (7, 1'),  (6,2'),  (1,2')}.  Thus,  every 
state  in  Figure  3  satisfies  EG  frue.  However,  only  (2,4'),  (3,1'),  (1,2')  are  (6,2')  are  in 
sat{g),  so  the  states  1',  2',  and  4'  of  M  satisfy  Eg  =  E[a  U  b]. 

We  now  describe  how  the  above  procedure  can  be  implemented  using  OBDDs.  We 
assume  that  the  transition  relation  for  M  is  represented  by  an  OBDD  as  in  the  previous 


Figure  3:  The  product  P  of  the  structure  M  and  the  tableau  T 

section.  In  order  to  represent  the  transition  relation  for  T  in  terms  of  OBDDs,  we  associate 
with  each  elementary  formula  g  a  state  variable  Vg.  We  describe  the  transition  relation  Rt 
as  a  boolean  formula  in  terms  of  two  copies  v  and  i?'  of  the  state  variables.  The  boolean 
formula  is  converted  to  an  OBDD  to  obtain  a  concise  representation  of  the  tableau.  When 
the  composition  P  is  constructed,  it  is  convenient  to  separate  out  the  state  variables  that 
appear  in  AP/.  The  symbol  p  will  be  used  to  denote  a  boolean  vector  that  assigns  truth 
values  to  these  state  variables.  Thus,  each  state  in  St  will  be  represented  by  a  pair  (p,  r), 
where  f  is  a  boolean  vector  that  assigns  values  to  the  state  variables  that  appear  in  the 
tableau  but  not  in  APj.  A  state  in  Sm  will  be  denoted  by  a  pair  (p.q)  where  9  is  a  boolean 
vector  that  assigns  values  to  the  state  variables  of  M  which  are  not  mentioned  in  /.  Thus, 
the  transition  relation  Rp  for  the  product  of  the  two  Kripke  structures  will  be  given  by 

Rpip,  q,  f,  p',  q',  f')  =  Rt(P,  f,  p\  f')  A  RxiiP,  q,  P',  q')- 

We  use  the  symbolic  model  checking  algorithm  that  handles  fairness  constraints  to  find  the 
set  of  states  V  that  satisfy  EG  true  with  the  fairness  constraints  given  in  (1).  The  states  in 
V  are  represented  by  boolean  vectors  of  the  form  (p,q,f).  Thus,  a  state  (p.q)  in  M  satisfies 
E  /  if  and  only  if  there  exists  f  such  that  (p,g,  f)  €  V  and  (p,  f)  6  sat(f). 

6  LTL  Model  Checking  Using  the  SMV  Model  Checker 

As  stated  in  Section  5,  LTL  model  checking  can  be  reduced  to  CTL  model  checking  under 
fairness  constraints.  If  the  tableau  and  the  fairness  constraints  for  a  given  LTL  formula  are 
represented  implicitly  as  boolean  formulas,  we  can  perform  symbolic  LTL  model  checking 
using  an  existing  symbolic  model  checker  for  CTL.  We  have  developed  a  translator  that 
enables  the  SMV  model  checker  to  handle  LTL  formulas.  For  a  given  LTL  formula,  the 
translator  generates  an  SMV  program  for  the  corresponding  tableau  and  fairness  constraints. 
We  can  perform  symbolic  LTL  model  checking  using  the  resulting  SMV  program.  In  this 
section,  we  describe  how  the  translator  works. 

We  begin  with  a  brief  description  of  the  SMV  model  checker.  SMV  is  a  tool  for  checking 
that  finite-state  systems  satisfy  specifications  given  in  CTL.  It  uses  the  OBDD-based  sym¬ 
bolic  model  checking  algorithm  in  Section  4.  The  language  component  of  SMV  is  used  to 
describe  complex  finite-state  systems.  Figure  4  shows  an  SMV  program  for  the  Kripke  struc¬ 
ture  in  Figure  2  and  an  specification  A(a  U  b).  This  example  illustrates  the  basic  features 
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1 

NODULE  main 

simple  program 

2 

VAR 

3 

a:  boolean; 

4 

b:  boolean: 

5 

TRANS  (aft! 

b) 

-> 

next(! (aft  !b)) 

6 

TRANS  (  a  ft 

b) 

-> 

next (a  ft  !b) 

7 

TRANS  daft 

b) 

-> 

next(!a  ft  b) 

8 

TRANS  daft! 

b) 

-> 

next(!a  ft  b) 

9 

SPEC  ACa  U  b] 

Figure  4:  Simple  SMV  program 


Figure  5:  An  SMV  program 


of  SMV  that  are  needed  to  explain  the  translation  procedure.  The  syntax  and  semantics  of 
the  complete  language  are  given  in  McMillan's  thesis  [16]. 

SMV  users  can  decompose  the  description  of  a  complex  finite-state  system  into  modules. 
Module  definitions  begin  with  the  keyword  MODULE.  The  module  main  is  the  top-level  module. 
(The  example  in  Figure  4  contains  a  single  module;  however,  our  translator  can  handle 
programs  with  multiple  modules.)  Variables  are  declared  using  the  keyword  VAR.  In  the 
example,  a  and  b  are  boolean  variables  (line  3-4).  The  TRANS  statements  are  used  to  define 
transitions  of  the  model  (lines  5-8).  In  the  TRANS  statements,  next(g)  is  obtained  from 
g  by  replacing  each  state  variable  v  in  g  by  the  correspon  ling  next  state  variable  v'.  For 
example,  next  (a  ft  !b)  means  a'  A  ->6'  where  a'  are  6'  are  the  next  state  variables  for  a  and 
6,  respectively.  Thus,  each  TRANS  statement  determines  a  propositional  formula  that  relates 
the  original  state  variables  and  the  next  state  variables.  The  transition  relation  for  an  SMV 
program  is  obtained  by  taking  the  conjunction  of  these  formulas.  CTL  formulas  are  declared 
as  specifications  using  the  keyword  SPEC  (line  9). 

Next,  we  describe  the  translation  algorithm.  Suppose  that  we  have  an  SMV  program  with 
an  LTL  formula  A  /,  instead  of  a  CTL  formula,  as  its  specification.  As  stated  in  Section  5,  it 
is  sufficient  to  handle  a  formula  E  -'/.  The  translator  replaces  A  /  with  an  SMV  description 
of  the  tableau  and  the  fairness  constraints  for  ->/.  The  translation  of  the  SMV  program 
in  Figure  5  is  shown  in  Figure  6.  The  translation  follows  the  general  procedure  outlined  in 
Section  5: 

1.  Associate  a  state  variable  with  each  elementary  formula  of  ->f. 
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2.  Represent  the  transition  relation  of  the  tableau  for  -■/  as  a  boolean  formula  in  terms 
of  the  state  variables. 

3.  Represent  fairness  constraints  as  boolean  formulas  in  terms  of  the  state  variables. 

4.  Generate  a  CTL  specification. 

In  the  first  step,  the  formula  /  is  negated  and  expanded  to  a  formula  in  which  the  only 
operators  are  V,  X,  U.  The  parse  tree  of  ->/  is  traversed  to  find  its  elementary  formulas. 
If  a  node  associated  with  formula  (or  g\5  h)  is  visited,  then  then  the  corresponding 
elementary  formula  X^  (or  X(5  U  h))  is  stored  in  the  list  el.list.  The  translator  declares 
a  new  variable  for  each  formula  X^  in  the  list  elJist.  Since  atomic  propositions  are 

already  declared  in  the  original  SMV  program,  they  are  not  declared  again. 

In  order  to  generate  descriptions  for  the  transition  relation  and  the  fairness  constraints, 
we  have  to  construct  the  characteristic  function  Sh  of  sat{h)  for  each  subformula  or  elemen¬ 
tary  formula  h  in  ->/.  The  translator  builds  these  functions  using  a  DEFINE  statement*.  The 
translator  traverses  the  parse  tree  of  -> /,  and  ge  .erates  the  appropriate  SMV  statements  at 
each  node. 


Sh-=  p; 

if  p  is  an  atomic  proposition. 

S;,:=  EL/,; 

if  h  is  elementary  formula  X  p  in  eUist. 

S/j :  ®  •  Sg ; 

If  k  =  -^g. 

S/l  •  *  Sg,  1  Sgj  ; 

if  /i  =  V  gi. 

Sgj  1  (Sg,  ft 

\f  h  =  giXJ  g2. 

The  transition  relation  can  be  described  in  terms  of  the  characteristic  functions  as  follows: 

A  ®  y.(ii') 

Xa€.l(/) 

The  expression  Sg{v')  is  represented  in  SMV  by  nextCS^).  The  translator  constructs  a 
formula  ^x.g  ~  X s'  in  elJist.  These  formulas  are  combined  in  a  TR.ANS 

statement  to  give  the  transition  relation  for  the  tableau. 

TRANS 

(  =  next  (Sg, )  )  ft 

^  =  IieXt  (Sg,)  )  ft 

*  next  (Sg^)  ) 

Likewise,  the  translator  traverses  the  parse  tree  and  generates  an  SMV  FAIRNESS  con¬ 
straint  for  each  node  associated  with  a  formula  of  form  ylJh: 

’This  statement  associates  a  symbol  with  an  SMV  expression.  When  the  symbol  appears  in  the  program, 
it  is  replaced  with  the  expression. 


10 


FAIRNESS  !S^u^  I  S/, 


Finally,  the  translator  generates  an  SMV  SPEC  statement.  From  Theorem  2.  it  is  clear 
that  the  formula  E-i/  can  be  checked  using  the  the  specification  5-,/  A  EG  True.  Thus, 
in  order  to  check  the  LTL  formula  A  /  =  the  translator  constructs  an  SMV  SPEC 

statement  for  “■(5-,/  A  EG  True). 

We  illustrate  the  translation  procedure  by  applying  it  to  the  simple  example  in  Figure  4. 
The  result  of  this  procedure  is  shown  in  Figure  7.  The  statements  in  lines  I  through  S  come 
from  the  origin2d  SMV  program,  while  the  statements  in  lines  9  through  19  are  generated  by 
the  tableau  construction  for  a  U  6.  The  translation  procedure  first  determines  that  a,  b  and 
X(a  U  6)  are  elementary  formulas  and  causes  the  state  variable  EL_X_a_U_b  to  be  declared 
for  X(aU6)  line  10.  Next,  the  DEFINE  statement  in  lines  12  through  16  is  constructed  for 
the  characteristic  functions  of  sat{a),  sat{b),  sa<(X(a  U  6)),  sat(u  U  b)  and  sati-^a  U  6).  The 
Trans  statement  in  line  17  causes  the  transition  relation  for  the  tableau  to  be  constructed, 
and  line  18  contains  the  fairness  constraint  for  o  U  6.  Finally,  the  specification  to  be  checked 
is  given  by  the  ‘SPEC‘  statement  in  line  19. 

7  Experimental  Results 

This  section  describes  the  experimental  results  that  we  obtained  for  symbolic  LTL  model 
checking.  In  order  to  compare  the  performance  of  LTL  model  checking  with  CTL  model 
checking,  we  used  two  sequential  circuit  designs  whose  specifications  can  be  described  in 
both  LTL  and  CTL, 

The  first  example  is  a  distributed  mutual  exclusion(DME)  circuit  designed  by  Alain 
Martin[15j.  The  DME  circuit  is  a  speed- independent  token  ring,  which  consists  of  identical 
arbiter  cells.  A  user  of  the  DME  circuit  obtains  exclusive  access  to  the  resource  via  request 
and  acknowledge  signals.  We  assume  aribitrary  delay  for  all  gates  in  the  circuit.  Each  gate  is 
modeled  as  a  finite-state  machine  that  non-deterministically  decides  either  to  recompute  its 
output  or  remain  unchanged.  We  verify  the  correctness  of  the  following  two  specifications: 

1.  (Safety)  No  two  users  are  acknowledged  simultaneously. 

2.  (Liveness)  All  requests  are  eventually  acknowledged. 

The  safety  specification  is  given  by  the  formula 

AG  f\  -"(acki  A  ackj), 

where  ack,  means  that  user  i  is  acknowledged.  This  formula  is  both  an  LTL  formula  and  a 
CTL  formula.  In  the  experiments  for  this  specification,  infinite  delays  are  allowed  at  each 
gate.  In  other  word.s,  the  output  value  of  each  gate  can  remain  unchanged  forever. 

Next,  we  verify  that  requests  are  eventually  acknowledged.  We  only  check  this  speci¬ 
fication  with  respect  to  a  single  user  (user  1).  In  this  case  the  LTL  specification  has  the 
form: 

AG(reqj  — »  Facki) 
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Figure  6;  Translator  output  for  SMV  program 
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1  MODULE  main  —  simple  program 

2  VAR 

3  a:  boolean; 

4  b:  boolean: 

5  TRANS  (  a  ft  !b)  ->  next(!(a  ft  !b)) 

6  TRANS  (aft  b)  ->  next(a  ft  !b) 

7  TRANS  (!a  ft  b)  ->  next(!a  ft  b) 

8  TRANS  daft  !b)  ->  nextda  ft  b) 

9  VAR 


10 

11 

12 

13 

14 

15 

16 


17 

18 
19 


EL_X_a_U_b  :  boolean; 

DEFINE 

S_a  a; 

3_b  :=  b; 

S.X.a.U.b  ■  :=  EL.X.a.U.b; 

S.a.U.b  :=  S.b  I  (S.a  ft  S.X.a.U.b) ; 

S.N0T.a.U.b  :*  !S.a_U.b; 

TRANS  S.X.a.U.b  =  next(S_a.U_b) 

FAIRNESS  !S_a.U.b  I  b 

SPEC  ! (S_N0T.a.U_b  ft  EG  true) 


Figure  7:  Translator  output  for  simple  SMV  program 

This  formula  is  equivalent  to  the  CTL  formula; 

AG(req,  -+  AF  ackj) 

If  infinite  delays  are  allowed  at  each  gate,  these  formulas  are  not  true.  In  order  to  over¬ 
come  this  problem  we  use  a  fairness  constraint  which  ensures  that  the  output  of  the  gate  is 
reevaluated  infinitely  often. 

SMV  provides  several  options  to  perform  model  checking.  We  verified  the  circuit  using 
the  following  approach. 

•  A  single  OBDD  is  constructed  for  the  transition  relation  of  the  circuit. 

•  The  reachable  states  of  the  circuit  are  determined,  and  evaluation  of  the  CTL  operators 
is  restricted  to  these  states. 
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#cell 

#nodes 

#time(sec) 

trans. 

#reachable  states 

CTL 

LTL 

CTL 

LTL 

CTL 

LTL 

CTL 

LTL 

3 

11326 

11362 

17.9 

20.5 

2778 

2781 

13158 

4 

13458 

15357 

47.5 

49.4 

4757 

4760 

150344 

5 

22321 

22348 

100.5 

104.4 

6760 

6763 

1.60485e-b06 

6 

25869 

27318 

182.3 

193.6 

8763 

8766 

8.2166e-|-06 

1.64332e-|-07 

28413 

33310 

326.4 

329.3 

10766 

10769 

8.1784e-t-07 

1.63568e+08 

8 

44322 

44369 

509.2 

526.3 

12769 

12772 

7.97393e+08 

1.59479e-|-09 

9 

49702 

49755 

794.0 

794.8 

14772 

14775 

7.65302e+09 

1.53060e+xv, 

10 

55082 

55141 

1125.2 

1362.7 

16775 

16778 

7.30144e-|-10 

1.46029e-|-ll 

Table  1:  Safety  specification  for  the  DME  circuit 


#cell 

#hodes 

#time(sec) 

trans. 

#reachable  states 

CTL 

LTL 

CTL 

LTL 

CTL 

LTL 

CTL 

LTL 

3 

12721 

33940 

426.1 

2778 

3004 

6579 

26316 

4 

26541 

72029 

2553.2 

4757 

4983 

75172 

300688 

5  • 

47346 

120299 

9623.1 

21950.1 

6986 

802425 

3.2097e-^06 

6 

92080 

183043 

36995.3 

66502.5 

8763 

8989 

8.2166e+06 

3.28664e+07 

7 

163867 

263380 

97807.1 

191990.0 

10992 

8.1784e-|-07 

3.27136e-t-08 

Table  2:  Liveness  specification  for  the  DME  circuit 

•  At  each  step  in  the  forward  search,  the  transition  relation  is  restricted  to  the  set  of 
reachable  states.  The  Restrict  function  of  Coudert,  Madre  and  Berthet  [11]  is  used 
for  this  purpose. 

Table  1  summarizes  the  experimental  results  for  the  safety  specification,  and  Table  2 
summarizes  the  results  for  the  liveness  specification.  The  columns  show  the  number  of  the 
cells  (#cell),  the  maximum  number  of  OBDD  nodes  used  at  any  given  time  (#nodes),  the 
run  time  on  SPARC  station  10  (time),  the  size  of  the  transition  relation  in  OBDD  nodes 
(trans.)  and  the  number  of  the  reachable  states  (^reachable  states).  In  the  experiment 
for  the  safety  specification,  we  observe  that  the  number  of  reachable  states  for  LTL  model 
checking  is  twice  as  large  cis  for  CTL  model  checking.  The  increase  in  allocated  OBDD  nodes 
and  run  time  is  less  than  10%.  In  the  experimentj,  for  the  liveness  specification,  the  number 
of  the  reachable  states  is  four  times  larger  for  LTL  model  checking,  while  the  increa.se  in 
space  and  time  is  1.5-3  times  larger. 

The  second  example  is  a  synchronous  bus  arbiter  which  is  described  in  McMillan’s  the¬ 
sis  [16].  This  circuit  is  composed  of  a  daisy  chain  of  identical  arbiter  cells.  The  requester 
with  the  highest  priority  receives  an  acknowledgement  from  the  arbiter  under  normal  oper¬ 
ation,  while  a  round-robin  scheme  is  applied  when  the  bus  traffic  becomes  very  heavy.  Each 
cell  is  modeled  by  a  deterministic  machine,  so  the  whole  arbiter  circuit  is  also  a  deterministic 


#cell 

#nodes 

#time(sec) 

trans. 

#reachable  states 

CTL 

LTL 

CTL 

LTL 

CTL 

LTL 

CTL 

LTL 

3 

384 

734 

■IMiKi 

■D 

80 

122 

384 

768 

4 

654 

1279 

■B 

112 

218 

2048 

4096 

5 

987 

1913 

0.11 

D9 

144 

318 

10240 

20480 

6 

1383 

2628 

0.13 

■ra 

176 

418 

49152 

98304 

7 

1842 

3424 

0.16 

wM 

208 

518 

229376 

458752 

8 

2364 

4301 

EM 

M 

240 

618 

1.04858e-h06 

2.0971.5e+06 

9 

2949 

5259 

Ira 

0.33 

272 

718 

4.71859e+06 

9.437 18e-t-06 

10 

3597 

6298 

m 

0.33 

304 

818 

2.09715e+07 

4.194.30e-t-07 

11 

4308 

7418 

BBl 

0.41 

336 

918 

9.22747e-f07 

1.84549e+08 

12 

5082 

8619 

0.31 

0.45 

368 

1018 

4.02653e+08 

8.05306e-|-08 

Table  3:  Safety  specification  for  the  synchronous  arbiter 

machine.  The  specifications  in  this  ca.se  are  essentially  the  same  as  in  the  case  of  the  DME 
circuit  discussed  previously: 

1.  (Safety)  No  two  users  are  acknowledged  simultaneously. 

2.  { Liveness)  All  requests  are  eventually  acknowledged. 

In  fact,  exactly  the  same  LTL  and  CTL  specifications  can  be  used. 

In  the  experiments  using  SMV,  we  used  the  options  to  construct  single  transition  rela¬ 
tions,  and  to  compute  reachable  states  before  model  checking.  Table  3  shows  the  exper¬ 
imental  results  for  the  safety  specification  and  Table  4  shows  the  results  for  the  liveness 
specification.  For  the  safety  specification  we  observe  that  the  number  of  reachable  states 
for  LTL  model  checking  checking  is  twice  as  large  as  for  CTL  model  checking.  The  number 
of  the  allocated  OBDD  nodes  and  run  time  both  increcise  by  a  factor  of  1.5.  In  the  second 
experiment,  the  number  of  the  reachable  states  is  four  times  larger  for  LTL  model  checking. 
The  amount  of  space  and  time  that  is  required  is  1.5-2  times  larger. 


8  Directions  for  Future  Research 

Certainly  the  most  important  thing  that  remains  to  be  done  is  to  try  additional  examples. 
Based  on  the  two  examples  that  we  have  considered  in  detail  so  far,  it  appears  that  efficient 
LTL  model  checking  is  possible  when  the  formula  that  is  being  checked  is  not  excessively 
complicated.  This  does  not  mean  that  LTL  will  take  the  place  of  CTL  in  model  checking 
applications.  Many  other  problems,  like  testing  inclusion  and  equivalence  between  various 
types  omega-automata  [7],  can  also  be  reduced  to  CTL  model  checking.  LTL,  on  the  other 
hand,  does  not  appear  to  have  this  flexibility.  Moreover,  in  many  of  the  applications  of 
model  checking  to  verification,  it  is  important  to  be  able  to  assert  the  existance  of  a  path 
that  satisfies  some  property.  For  example,  absence  of  deadlock  might  be  expressed  by  the 
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#cell 

#  nodes 

#time(sec) 

trans. 

#reachable  states 

CTL 

LTL 

CTL 

LTL 

CTL 

LTL 

CTL 

LTL 

3 

996 

2159 

isa 

80 

134 

384 

1536 

4 

1531 

3137 

iii 

112 

196 

2048 

8192 

5 

2155 

4254 

0.43 

144 

258 

10240 

40960 

6 

2867 

5483 

iH 

0.48 

176 

320 

49152 

196608 

7 

3667 

6820 

0.48 

0.61 

208 

382 

229376 

917504 

8 

4555 

8266 

0.53 

0.81 

240 

444 

1.04858e+06 

4.1943e-|-06 

9 

5531 

9821 

0.71 

1.01 

272 

506 

4.71859e-t-06 

1.88744e-f07 

10 

6595 

10000 

0.83 

1.23 

304 

568 

2.09715e-H07 

8.38861e+07 

11 

7747 

10001 

1.00 

1.46 

336 

630 

9.22747e+07 

3.69099e+08 

12 

8987 

10052 

1.16 

1.71 

368 

692 

4.02653e-f08 

1.61061e-|-09 

Table  4:  Liveness  specification  for  the  synchronous  arbiter 

CTL  formula  AG  EF  start  (Regardless  of  what  state  the  program  enters,  there  exists  a 
computation  leading  back  to  the  start  state).  Neither  this  formula  nor  its  negation  can  be 
expressed  in  LTL  [6],  so  LTL  model  checking  techniques  cannot  be  used  to  decide  whether 
the  formula  is  true  or  not.  Idealy,  it  should  be  possible  to  reason  about  linear-time  and 
branching-time  properties  in  the  same  logic  (say,  CTL’  ).  We  believe  this  goal  can  potentially 
be  realized  by  extending  the  techniques  discusssed  in  this  paper.  Emerson  and  Lei  [13]  have 
shown  how  to  reduce  CTL’  model  checking  to  LTL  model  checking.  If  the  transformation 
outlined  in  this  paper  can  be  extended  to  incorporate  their  reduction,  then  it  should  be 
possible  to  develop  a  model  checker  that  can  handle  both  types  of  properties. 


Appendix 

We  prove  Theorem  1  and  Theorem  2  of  Section  5. 

Theorem  1  Let  T  be  the  tableau  for  the  path  formula  /.  Then,  for  every  Kripke  structure 
M  and  every  path  tt'  of  M,  if  M,  tt'  ^  /  then  there  is  a  path  k  in  T  that  starts  in  a  state  in 
sat{f),  such  that  label{Tr')  \aPi=  label{Tr). 

In  order  to  prove  this  theorem,  we  need  the  following  two  lemmas.  In  the  remainder  of 
this  section,  tt'  =  Sqs'i  . . .  represents  a  path  in  M .  We  denote  the  suffix  of  n'  starting  from 

the  state  s(  as  <  i.e.,  <  =  s'sUi....  For  the  path  tt-,  we  define  s,  =  {0|t/’  el{f)  and 

M,  tt'  (=  0}.  Note  that  s,  is  a  state  in  T. 

Lemma  3  For  all  g  6  sub{f)  U  e.l{f),  M,  7r[  \=  g  if  and  only  if  s,  G  sat{g). 

Proof.  The  proof  proceeds  by  induction  on  the  structure  of  the  formula. 

1.  Case  g  €  e/(/).  By  the  definition  of  Si,  it  is  easy  to  see  that  M,  tt'  ^  g  if  and  only  if 

g  €  Si-  By  the  definition  of  sat,  g  £  Si  if  and  only  if  s,  G  sat{g). 
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2.  Case  g  =  ->g\  and  g  =  gx^  g^.  By  the  induction  hypothesis  and  the  definition  of  sat. 
it  is  e«isy  to  prove  these  cases. 

3.  Case  g  =  gxV  gi-  By  the  definition  of  U,  A/,  tt-  U  5^2  if  and  only  if  A/,  tt'  f= 

g2  or  [=  gi  cind  A/,  t ■  \=  X(^i  U  52))-  By  the  induction  hypothesis  and  the 

definition  of  s,,  A/,  tt'  ^  ^2  or  (A/,  tt'  ^  gi  and  A/,  tt-  ^  X(5i  U  ^2))  if  and  only 
if  s,  €  sat(g2)  V  (s,  €  sat{gi)  A  s,  6  sat{\(gx  U  ^2)))-  By  the  definition  of  sat. 
s,  €  sat{g2)  V  (s,  €  sat(gi)  A  s,  €  sat{X{gi  U  52)))  if  and  only  if  s,  6  sat{gi  U  g2).  □ 

Lemma  4  Given  it'  =  SgS^  •  •  •  and  Si  as  above,  then  t  =  sqSi  ...  is  a  path  in  T. 

Proof.  Clearly,  for  all  i,  s,  €  St-  By  Lemma  3  and  the  definition  of  X,  it  is  easy  to  see 
the  following  relation;  s,  €  sat{Xg)  if  and  only  if  A/,  tt'  ^  X^  if  and  only  if  .VI.  \=  g 
if  and  only  if  s^+i  €  sat{g).  By  the  definition  of  Rj,  if  s,  6  sat{Xg)  <=>  s.+i  G  sat{g).  then 
(s,,  s.+i)  G  Rt  ■  Therefore  t  =  sqSi  ...  is  a  path  in  T.  □ 

Proof  of  Theorem  1,  Suppose  that,  for  a  path  ir'  in  A/,  tt'  f=  /.  By  Lemma  4.  we  can  find  a 
path  TT  =  sqSi  ...  in  r.  By  Lemma  3.  so  G  sat(f).  By  the  definition  of  s,.  L(  ■s')  \ap,=  Lt(s,). 
and  thus  label{K')  |,4Py=  label{Tr).  This  leads  to  Theorem  1.  □ 

Theorem  2  A/,  a'  )=  E  /  if  and  only  if  there  is  a  state  cr  in  T  such  that  {cr.o')  G  sat(f)  and 
P.{a.(T')  1=  EG  True  under  the  fairness  constraints  given  in  (1). 

In  order  to  prove  this  theorem,  we  need  the  following  three  lemmas. 

Lemma  5  Given  ir  =  SqSi  . . .  where  s,  is  defined  as  above,  then  tt  )=  G  True  under  the  the 
fairness  constraints  given  in  (1). 

Proof.  In  order  to  show  that  tt  )=  GTrue  under  the  fairness  constraints,  we  need  to  prove 
that,  for  every  subformula  g  U  h  oi  f.  there  are  infinitely  many  states  s,  on  t  such  that 
s,  G  sat{~<(g  U  h)  V  h).  Suppose  not.  then  there  exists  io  such  that,  for  all  i  >  iq.  .s,  ^ 
sat(-'(gU h)Vh).  Thus  s,  G  sat(gUh)  and  s,  ^  sat{h).  By  Lemma 3.  for  all  i  >  io,  tt'  ^  gVJ h 
and  TT-  ^  h.  Since  7r[\=  gU  h  means  tt'  ^  ft  for  some  j  >  i,  this  leads  to  a  contradiction.  □ 

It  is  ecisy  to  see  the  next  lemma. 

Lemma  6  tt"  =  (so, 5q)(si, s^)  •  •  •  is  a  path  in  P  with  Lp((s,,s'))  =  Lt(s,)  for  all  i  >  0 
if  and  only  if  there  exist  a  path  tt  =  So.Si  •  •  •  in  T.  and  a  path  k'  =  Sqs',  ■  •  •  in  .VI  with 
Lt(s,)  =  L.vf(-s.)  \.AP,  for  all  i  >  0. 

Lemma  7  Asuume  that,  for  all  k  >  j ,  s^  E  sat(gi)  ^  tt*  [=  gfi  and  Sk  G  sat(g2)  ^  92- 

If  TTj  gi\5  g2  and  Sj  G  sat{g\  U  g2),  then,  for  all  k  >  j,  ^  U  52  ond  Sk  G  sat(gx  U  g2)- 

Proof.  First  we  prove  that,  if  Sj  G  sat(^iU^2)  and  Zj  ^  gi  lJg2,  then  Sj+i  G  ■'iat{gi  U52)  and 
TTj+i  ^  (jfi  U g2.  From  the  definition  of  sat,  sat{gi  U g2)  implies  Sj  G  sat{g2)  or  {Sj  G  sat{gi) 
and  Sj  G  sat{X{gi  U  ^2)))-  From  the  aissumptions  and  the  definition  of  Rj,  it  follows  that; 

iTj  \=  g2  or  {tTj  [=  gx  and  Sj+i  G  sat(gi  U  ^2))-  (2) 
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Since  TTj  giU  g2  implies  Xj  ^  52 »  (2)  leads  to  the  following: 

TTj  \=  gi  and  Sj+i  e  sat(gi  U  52)-  (3) 

Since  TTj  ^  gi  from  (3)  and  Tj  ^  g\\ig2  from  the  assumption,  we  can  also  get  tTj+i  ^  ^1  U52- 
Similarly  we  can  get,  for  all  k  =  j  +  2,j  +  3,  j  4-  4 . . s*  6  sat{gi  U 52)  and  ^  U g2.  □ 

Lemma  8  Let  tt  [=  GTrue  under  the  fairness  constraints,  then  T,t  f  if  and  only  if 
So  €  sat{f). 

Proof.  By  induction  on  the  structure  of  the  formula,  we  prove,  for  each  g  G  sub{f)  U  el{f), 
Vj  :  T,iTj  ^  if  and  only  if  Sj  6  sat{g). 

1.  Case  g  =  p  £  AP.  By  the  definition  of  Sj  and  the  definition  of  sat,  it  is  ecisy  to  see 

the  following  relation:  ^  p  if  and  only  if  p  G  Lrfsj)  if  and  only  if  p  G  if  and  only 

if  Sj  G  sat{p). 

2.  Case  g  =  ->gi  and  p  =  Vp2-  By  the  induction  hyposthesis  and  the  defition  of  and 
V,  it  is  easy  to  prove  these  cases. 

3.  Case  p  =  Xpx-  By  the  definition  of  Rj  and  the  induction  hypothesis,  we  can  see  the 
following  relation:  Sj  G  saf(Xpi)  if  and  only  if  Sj+\  G  sat(p)  if  and  only  if  Tj+i  |=  p  if 
and  only  if  tTj  X  p. 

4.  Case  p  =  px  U  p2.  (=»)  Assume  that  TTj  [=  px  U  P2,  then  for  some  /  >  j,  wi  |=  p2  and 
for  all  j  <  i  <  /,  TTi  ^  Px-  By  the  induction  hypothesis,  si  G  sat(g2)  and  therefore 
Si  G  sat{gi  U  P2).  By  the  definition  of  R-j-,  it  follows  that  s;_i  G  sa<(X(px  U  P2))- 
But  7r/_x  1=  Px,  so,  by  induction  S(_x  G  sat{gi)  and  therefore  S(_x  G  sat(gi  U  P2).  By 
induction  on  (/  —  j)  we  eventually  get  Sj  G  sat{gi  U  P2). 

(•^)  Suppose  that  Sj  G  sat{gi  U  P2)  and  Vj  px  U  p2.  By  Lemma  7,  for  all  k  >  j, 

Sk  €  sat[gi  U  P2)  and  ffit  Pi  U  p2.  This  implies  that  ^  p2,  and  thus  Sk  0  sat{g2) 

from  the  induction  hypothesis.  Consequently  sjt  G  sat(gi  U  P2)  and  Sk  ^  sat{g2) 
for  all  k  >  j.  This  leads  to  a  contradiction,  because  tt  \=  GTrue  guarantees  that 
there  are  infinitely  many  states  Sk  such  that  Sk  6  sat(-'(px  U  P2)  V  P2).  Therefore  if 
Sj  G  sat{gx  U  P2),  then  tTj  px  U  p2.  □ 

Proof  of  Theorem  2.  (=>)  Since  A/,Sq  |=  E  /,  then  Btt'  ^  /.  By  Theorem  1  and  Lemma  5, 
we  can  prove,  for  tt  in  T,  ir  [=  GTrue  and  label{Tr)  =  label{Tr')  \APf  By  Lemma 6,  there  is  a 
path  it"  in  P  such  that  label{ir'')  =  label{‘K).  Since  label{x)  =  label{Tr')  \APf  and  x'  \=  /,  we 
can  see  x  |=  /  .  Also  since  x  [=  GTrue,  by  Lemma  8  sq  6  sat{f).  Thus  (sq, Sq)  G  sat{f). 

Since  label{ir)  =  /a6e/(x")  and  x  f=  GTrue,  it  is  clear  that  x"  j=  GTrue.  Therefore 

Pi  (^0,  -So)  t=  EG  Trite. 

(■^)  Since  (so,  €  sat{f)  and  P,{so,Sq)  ^  EG  Trite,  then  3x"  |=  GTrue.  By 
Lemma  6,  there  exist  paths  x  G  T  and  v'  ^  M  such  that  label{ir")  =  /a6e/(x)  =  /a6e/(x')  \ap,- 
Since  x"  ^  GTrue  and  /a6e/(x)  =  label{ir"),  we  can  see  x  |=  GTrue.  Since  (soi^g)  G 
sat{f).  So  G  sat{f).  From  Lemma  8,  x  [=  /.  Since  label{x)  =  /a6e/(x')  \APfi  1=  /• 
Therefore  M,Sq  [=  E/.  □ 
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Abstract 


We  show  how  LTL  model  checking  can  be  reduced  to  CTL  model  checking  with  fairness 
constraints.  Using  this  reduction,  we  also  describe  how  to  construct  a  symbolic  LTL  model 
checker  that  appears  to  be  quite  efficient  in  practice.  In  particular,  we  show  how  the  SMV 
model  checking  system  developed  by  McMillan  [16]  can  be  extended  to  permit  LTL  spec¬ 
ifications.  The  results  that  we  have  obtained  are  quite  surprising.  For  the  examples  we 
considered,  the  LTL  model  checker  required  at  most  twice  as  much  time  and  space  as  the 
CTL  model  checker.  Although  additional  examples  still  need  to  be  tried,  it  appears  that 
efficient  LTL  model  checking  is  possible  when  the  specifications  are  not  excessively  compli¬ 
cated. 
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